Bacport fix bug #68741 - Null pointer dereference

author Stanislav Malyshev <stas@php.net>

Mon, 23 Mar 2015 01:20:59 +0000 (18:20 -0700)

committer Stanislav Malyshev <stas@php.net>

Mon, 23 Mar 2015 01:30:05 +0000 (18:30 -0700)
author Stanislav Malyshev <stas@php.net>
Mon, 23 Mar 2015 01:20:59 +0000 (18:20 -0700)
committer Stanislav Malyshev <stas@php.net>
Mon, 23 Mar 2015 01:30:05 +0000 (18:30 -0700)
diff --git a/NEWS b/NEWS

index 715227eb38677451164be412a1dd8e580f7634f8..365615418dd1b58ae57779fccc75f4879019f56f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ PHP                                                                        NEWS
    . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize()
      with SoapFault). (Dmitry)
  
+- Postgres:
+  . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui)
+
  19 Mar 2015 PHP 5.4.39
  
  - Core:
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c

index 16ce7bfb7f9c21a6f354f2d47102aaeacfae3a4d..eb557777583f15e591c45ae9f43578ee6be85db4 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -6117,6 +6117,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c
         /* schame.table should be "schame"."table" */
         table_copy = estrdup(table);
         token = php_strtok_r(table_copy, ".", &tmp);
+       if (token == NULL) {
+               token = table;
+       }
         len = strlen(token);
         if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) {
                 smart_str_appendl(querystr, token, len);
author	Stanislav Malyshev <stas@php.net>
	Mon, 23 Mar 2015 01:20:59 +0000 (18:20 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Mon, 23 Mar 2015 01:30:05 +0000 (18:30 -0700)
NEWS		patch \| blob \| history
ext/pgsql/pgsql.c		patch \| blob \| history